3D Secure

Verified by Visa (VbV), MasterCard SecureCode, and AMEX SafeKey are security features that prompt customers to enter a
passcode when they pay by Visa, MasterCard, or AMEX. Merchants that want to integrate VbV, SecureCode, or SafeKey must
have signed up for the service through their bank merchant account issuer. This service must also be enabled by our
support team.

For assistance, you can send a message to Client Services or call 1-888-472-0811.

With a VbV, SecureCode, or SafeKey transaction, a customer is redirected to a bank portal to enter their secure pin
number before a transaction is processed. The bank then returns an authentication response which must be forwarded to
our API for a transaction to complete.

1. Use our 2-Step process

Use our RESTful Payment APIs to initiate the Payment and to complete the transaction request. In this standard
integration, the VbV, SecureCode, and SafeKey process requires two transaction requests.

Step 1: Submit a payment request and process the first result.

The merchant’s processing script forwards the transaction details to our REST API. The request includes a special
'term_url' variable. This term_url variable allows the merchant to specify the URL where the bank VbV or SC, or SafeKey
response is returned, after the customer enters their PIN and it is verified on the bank portal.

In the 302 response above, the 'merchant_data' attribute value should be saved in the current users session.

The merchant’s process URL decodes the response redirect and displays the information in the customer’s web browser.
This forwards the client to the VbV or SC, or SafeKey banking portal. On the bank portal, the customer enters their
secure credit card pin number in the fields provided on the standard banking interface.

The bank forwards a response to the merchant’s TERM URL including the following variables:
- PaRes (Authentication Code)
- MD (Unique Payment ID)

Step 2: Process Transaction Auth Request

The merchant takes the data posted to the TERM URL and posts the PaRes and MD (merchant_data) values to our RESTful Payments API on its 'continue' endpoint.

If the transaction fails VbV or SC, or SafeKey it is declined immediately with messageId=311 (3D Secure Failed). If the
transaction passes, it is forwarded to the banks for processing. On completion, an approved or declined message is sent
to the merchant processing script.

Upon success the term_url callback is called with following form encoded name/value params:

2. Use your own process

Some large merchants complete the Verified by Visa (VbV), MasterCard SecureCode, or AMEX SafeKey certification to handle
authentication on their own side. These merchants can use their existing VbV, SecureCode, or SafeKey authentication
process, and send the results of the bank authentication to us with their standard transaction request. To do
this, the merchant must integrate using a server-to-server type connection.

Note: This option must be enabled by us. Contact support if you want to use this method.

The VbV, SecureCode, or SafeKey bank authentication results must be sent with the transaction request using these three
system variables: